Posted
by
timothyon Sunday August 29, 2010 @11:50AM
from the share-nicely dept.

An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"

if the thieves are getting past the guards, I would not want to emulate them.
Something is wrong and needs to change, and till its changed I would not want to copy a security model that isn't secure.
The question is, is it insecure because of a failure in the model or is it because so many resourceful thieves are finding ways around the so called safeguards.
Who can know?

Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.

But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.

I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".

No software can truly be secure. You have to assume that your security will eventually be breached and you have to make an effort to mitigate the damage when a breach occurs. If Microsoft and others want to help, they should be working to make the mitigation side of the equation easier.

Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get better.

So, the "Unix internals vs NT internals" is resumed as UNIX not having ACL security?

Pfffff.. Yeah, looks like you know a lot more on the subject.

WRONG. Unlike windows, which only supports ONE ACL scheme which is builtin, the most variety of UNIXes out there supports complex ACL mechanisms through a modular design or patches. Windows ACLs are also very basic compared to the full access control provided by SELinux.

Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.

WTF are you prattling on about?.NET insecure? Seriously? Do you even know what you're talking about? You are making vague claims that make little sense. Like calling the Firefox plug-in a security flaw.. It's using the mechanism that Firefox provided for machine wide-plugins. Firefox has since improved on that, but it wasn't MS's fault nor was it a security flaw.

Please, point me to some evidence of any severe unpatched.net flaws or exploits. I don't know of any. I think you are confused and simply applying catchphrases you've heard and pretending you know what you're talking about.